As the pace of electronic commerce and as online communications increase, the need for security and the ability to authenticate communications between parties has become critical. To meet this need, a public key infrastructure (PKI) has been developed to allow for encryption, decryption, digital signatures, and signature authentication. This encryption scheme involves public and private keys, used in conjunction, to encrypt and decrypt electronic messages. Such companies as IdCertity, Verisign, and Thawte are known as Certificate Authorities, who verify the identity of entities seeking digital certificates, issue digital certificates and make digital certificates available in public databases. The University of Southern California as well as another at Massachusetts Institute of Technology (MIT) provides such databases. Encryption schemes that rely upon these public databases are unmanageably complex to the average user. The user must know the public key of each recipient, know how to encrypt a message, maintain their own private key, and know how to decrypt messages. These solutions rely on distributed client software for performing encryption functions thereby creating another disadvantage. Each client must be able to manage the keys of senders and recipient. Distribution of public keys requires heavy investments in software and labor by the end user in order to correctly implement the client software. These solutions require that the client perform the function of encryption and decryption. Such placement of responsibility on the individual users significantly opens the door to user error as well as undermines the security of the entire system. Further, the centralizing management of public and private keys creates a bottleneck inhibiting the speed in which an encryption network can be maintained, as well as limiting its ability for expansion.
Therefore, there is a need for an encryption system with automated distributed key management that is implemented and operated with minimal interaction between sender-s and recipients. There is also a need for a system capable of querying and discovering public keys from many different Certificate Authorities or other remote databases having public keys.
In describing the current invention, the following terms are helpful:
Domain—a logical unit representing a collection of computers or a segment of computer network accessible by specific users who are members of the domain.
Secure Domain—a logical unit representing a collection of computers or a segment of a computer network utilizing encryption software of one or more secure servers.
Message Verification—the process of using the public key to determine whether a message was sent, in actuality, from the named sender.
Certification—the process of associating a public key with an individual, organization, or other entity to determine that a message was “certified” from that specific entity.
Digital Certificate—the mathematical parameters of a public key combined with identifying information regarding the owner or user of that public key. The contents of a digital certificate are cryptographically signed in order to protect its integrity. A Certification Authority issues digital Certificates.
Certification Authority—A person, organization, or other entity charged with the duty of Certification. It is the Certification Authority's responsibility to perform whatever identity verification is necessary to associate a real person with the Digital Certificate that will represent them.
Internet Message Access Protocol (IMAP)—a computer network protocol that allows computer software to manage the contents of electronic mailboxes that is stored on a remote computer. By sending IMAP messages, software can fetch, store, and delete messages, as well as create, delete, and rename mailboxes.
Multi-purpose Internet Mail Extensions (MIME)—Special encoding protocols used by electronic communications software (both the world wide web and e-mail, for instance). These encodings allow messages to identify and transmit various kinds of content and formats such as binary, audio, video, graphics, or other content types.
Post Office Protocol (POP)—a computer network protocol that allows computer software to manage the contents of a single electronic mailbox that is stored on a remote computer. POP is very similar to, but simpler than, IMAP. By sending POP messages software can retrieve and delete messages from a single mailbox stored on a remote computer.
Private key—one of a pair of mathematical parameters that are uniquely and tightly linked to a “public key.” Encryption algorithms use these parameters to produce an encrypted version of information. The private key is mathematically linked to its unique public key so that only that public key can decrypt information encrypted by that private key.
Public key—the other of a linked pair of mathematical parameters. Only the corresponding private key can possibly decrypt any information encrypted by the public key.
Public key infrastructure (PKI)—a combination of software, hardware, encryption technologies, and services that enable the protection of electronic communications and business transactions over a computer network.
Public key publication—the process of making public keys available to individuals who wish to send encrypted messages to others able to receive and decrypt encrypted messages.
Simple mail transfer protocol (SMTP)—a server-to-server protocol for delivering electronic mail. SMTP is the standard protocol used presently on the Internet as well as other TCPIP networks.
In order for an encryption system to function, there must be controlled access to the public and private keys of the senders and recipients. The sender of a message requires access to the recipient's public key for encrypting a message. The sender needs access to his own private key for signing a message. The sender needs access to his private key for decrypting messages received. The recipient requires access to the sender's public key for signature authentication. Therefore, both the sender and recipient must have a system, process or method for discovering the respective public keys as well as a system, process or method for securely storing and accessing their respective private keys. Advantageously, access to the public and private keys, the related process for encryption, decryption, signing, and authentication should be automated so that intervention by the sender or recipient is not required.
Accordingly, it is an object of this invention to provide for an automated encryption system for encrypting, decrypting, signing, and authenticating electronic messages, attachments and documents without significant maintenance or user intervention.
It is another object of this invention to allow a system administrator to maintain public and private key pairs for senders and recipients so that the burden of maintenance of the encryption system is focused on the administrator rather than the sender and recipient.
It is another object of this invention to provide for access to the public keys of users located outside of the specific secure domain.